Threat Research

Citrix Vulnerabilities Rising – When Gateways Give Way

LogPoint
Citrix Vulnerabilities Rising – When Gateways Give Way

Citrix disclosed three critical/high vulnerabilities in NetScaler ADC and Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) that enable remote code execution, denial of service, and unauthorized management access; CVE-2025-7775 is already being actively exploited and all three are in CISA’s KEV catalog. Over 28,000 exposed NetScaler instances were observed online, increasing urgency to patch, restrict management interfaces, and hunt for post-exploitation artifacts. #CVE-2025-7775 #CVE-2025-7776

Keypoints

  • Three vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) affect NetScaler ADC/Gateway versions including 13.1, 14.1, 13.1-FIPS, and NDcPP with CVSS scores 9.2, 8.8, and 8.7 respectively.
  • CVE-2025-7775 is a critical memory overflow enabling remote code execution or denial of service and is already observed in active attacks.
  • Researchers observed more than 28,000 internet-exposed Citrix NetScaler instances vulnerable to CVE-2025-7775 via Shadowserver scans.
  • Attackers fingerprint vulnerable devices by requesting /vpn/js/rdx/core/lang/rdx_en.json.gz, upload payloads via /api/v1/configuration, and verify exploitation using /var/tmp/poc_test.txt.
  • Mitigations include immediate patching (CTX69493), disabling unnecessary IPv6 and PCoIP profiles, restricting management interfaces (NSIP, SNIP, Cluster IP, GSLB Site IP), and forcing session termination after updates.
  • Post-exploitation hunting should look for webshells under /var/netscaler/ and /var/vpn, modified configs (/flash/nsconfig/rc.netscaler, /etc/httpd.conf), unusual SUID files (e.g., /var/tmp/sh), malicious crontabs, and NSPPE core dumps in /var/core/.
  • Incident response recommendations: isolate compromised devices, collect forensics, rebuild from clean images, rotate credentials and tokens, reissue TLS certs, and subscribe to CISA KEV and vendor advisories.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Memory overflow (CVE-2025-7775/CVE-2025-7776) used to achieve remote code execution or denial of service: ‘Memory overflow leading to Remote Code Execution (RCE) or Denial of Service’ and ‘Memory overflow vulnerability causing erroneous behavior / DoS’.
  • [T1553] Subvert Trust Controls – Improper access control on management interfaces (CVE-2025-8424) allowing unauthorized access: ‘Improper Access Control allowing access via NSIP, Cluster IP, GSLB Site IP, or SNIP with management access’.
  • [T1595] Active Scanning – Adversaries perform scanning and fingerprinting using GET requests to /vpn/js/rdx/core/lang/rdx_en.json.gz to enumerate versions: ‘sending GET requests to the URI /vpn/js/rdx/core/lang/rdx_en.json.gz in order to enumerate the version.’
  • [T1105] Ingress Tool Transfer – Attackers upload payloads via the /api/v1/configuration/ path to place malicious files on the appliance: ‘attempt to upload payloads via the /api/v1/configuration/ path.’
  • [T1566] Phishing / Initial Access via Exploit Public-Facing Application – Targeting exposed NetScaler appliances as internet-facing VPN/Gateway devices to gain initial access and pivot: ‘Devices are exposed to the internet and configured as Gateways (VPN, ICA Proxy, RDP Proxy)’.
  • [T1053] Scheduled Task/Job – Persistence via malicious crontab entries observed as post-exploitation artifacts: ‘Monitor for malicious crontab entries or other persistence artifacts left behind by attackers.’

Indicators of Compromise

  • [HTTP Request URI] fingerprinting and exploitation – GET /vpn/js/rdx/core/lang/rdx_en.json.gz (version enumeration), POST /api/v1/configuration (payload upload), GET /var/tmp/poc_test.txt (verification).
  • [IP Address] observed scanning/exploitation – 116.203.235.29 (network scans targeting Citrix vulnerabilities) and other scanning hosts identified by Shadowserver/Censys.
  • [File Paths / Names] post-exploitation artifacts – /var/netscaler/ webshells, /var/vpn webshells, /var/tmp/poc_test.txt (exploit verification), and example persistence files like /var/tmp/sh (SUID) and modified configs /flash/nsconfig/rc.netscaler, /etc/httpd.conf.
  • [Exposure Counts] internet-exposed devices – 28,000+ publicly accessible NetScaler instances vulnerable to CVE-2025-7775 (Shadowserver scan results) and numerous Censys-observed instances.

Read more: https://logpoint.com/en/blog/citrix-vulnerabilities-rising-when-gateways-give-way

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint